GDPR – For some it will have felt like a bit of an uphill battle, but now the dust has settled, the world hasn’t ended, what happens next? Read on for 4 steps that’ll make sure you’re not caught out…
As he dusted off
his laptop and prised open the lid, David racked his brain to remember his
password. No surprise there, David always struggled to remember, but after two
weeks off it felt more like Mastermind than a familiar series of letters,
numbers and special characters! Five, six, seven attempts and he was in! He was
a bit nervous, sweaty-palmed in fact. That familiar feeling of trepidation he
got when returning to work after a long break. What surprises awaited him? Had
Jeanne from Accounts remembered to pay his supplier invoice? Had Russell the
Marketing Intern emailed the entire database by mistake? But this time it was different, it was more than that… because David
was the company’s new Data Protection Officer!
A cursory glance
at his inbox revealed that the endless procession of Privacy Statement emails
had dried up. There were no emails marked urgent from the GDPR Taskforce that David
had headed up before jetting off on his holiday, and even a pat on back from
his boss. A job well done. David breathed a sigh of relief, he’d done it. The
GDPR deadline had passed, and the world hadn’t ended! Phew! So, we can all go
back to our day jobs now, right? Or so David thought…
It’s safe to say
that David won’t have been the only one returning to work a little nervous,
after the deadline. It’s also safe to say that he won’t be the only one who’s now
thinking, job done. With so much focus on the 25th May and the
relief to get it all done, you could almost forgive him (almost). But what
next? The truth is, that the job has only just started. GDPR is ongoing and the
UK Data Protection Act is only just around the corner. Compliance needs to be
managed, monitored and maintained, which is no mean feat!
It’s important
to remember though, that amongst all the scaremongering and big brand faux pas,
the regulation has the data subject’s interests at heart and it’s the safety of
their data that the overriding principle looks to protect, so it’s well worth
the effort. The regulation isn’t designed to restrict business, but instead empower
it to better protect customer data. Data Privacy Impact Assessments allow
companies to document and assess their risks, the obligation to train staff on
a regular basis will reduce the amount of human error leading to data breaches.
The need to demonstrate your commitment to Information Security may include increasing
the amount of manual penetration testing the follow-on actions will reduce your
vulnerabilities, lessening the likelihood of breach through hacking.
You can be sure
that despite all these best efforts, there will be eagle-eyed journalists up
and down the country with their pens poised (or should that be tablets
twitching), ready to report on the first big brand that falls from grace, with
gusto. So, what can you do to make sure it’s not your brand name in the media
spotlight? That it’s not your reputation being dragged mercilessly through the
tabloids?
These 4 steps
will go a long way to ensure it’s not you.
1. Check you’ve got the basics right
Whenever there’s
change to process and procedure it’s always best practice to review whether
they have been a success. Have all changes been implemented? Communicated to
all the relevant staff members? Do those staff members understand them? Are
they being followed? And are you documenting this to demonstrate to the
regulator? It sounds obvious, but you’d be surprised how many organisations
don’t.
2. Are you set-up to manage GDPR?
There are a
whole host of activities that need to be performed on a regular basis. Whether
that’s process led, such as Data Subject Access Requests, reporting of data
breaches, or action led such as testing for vulnerabilities, or tracking
network access and behaviour, or training led such as regular basis security
awareness training to make staff members aware of the latest threats to your
data security. Governance including regular reporting are key here. Do you know
what ‘good’ looks like? How will you know whether you are succeeding? Have you
set GDPR objectives? And are they SMART? Are you reporting against them, if yes,
then who do they get reported to? Can searches for structured and unstructured
data be done within 28 days? Do you have the frameworks in place to track all
of this and drive continuous improvement? If this all sounds a bit daunting,
then that’s because it requires commitment and dedicated resource. It’s a lot
of work but ultimately these are essential to remaining compliant… and with the
wealth of services out there to help there will be no excuses for the ICO,
should they ever come knocking.
3.
Have you really changed?
So, you’ve
checked your deliverables for day one and things look like they are all
working. You’ve even set up regular reporting and have some frameworks in place
to make sure there is some Governance, but have you really changed? The most effective
way to embed change is by changing business culture itself… it’s also the
hardest to achieve! But there are ways that you can address this. Do you really
have buy-in at the most senior level? Leading by example goes a long way. Are
you going to carry out regular risk assessments? Is the Senior Management team
part of your Governance process? Do you have regular (not yearly, but
quarterly) training for existing staff and new starters? Do you reward positive
behaviour relating to Information Security? These are just a few ways that you
can start to change your businesses DNA and your overall security posture.
4.
If you have really changed (or are
starting to), well done! Now how about a business standard?
You’ve seen the
light (and your business has too), and together you are embracing GDPR and
ready to reap the rewards that come with improved data security and Governance.
Psttt (don’t tell everyone) … you now have the chance to turn this into a
competitive advantage. There are plenty
of business standards out there that look great on a company’s CV (ISO 27001 or
BS 10012, for example). And you can bet if you’re doing ISO 20071 you are doing
GDPR, and a lot more. You can choose to align to these standards and shout
about it to your clients, suppliers etc… but the real value comes when you are
fully accredited. Yes, there’s a cost attached to this, but it is sure to set
you aside from some of your competitors and could be the deciding factor that
clinches your next big deal.
No comments:
Post a Comment